Multivariate quadratic signature scheme based on central map with oil-oil quadratic terms secure against quantum computers

ABSTRACT

An electronic device including a key generator is disclosed. The key generator acquires a first affine map, a second affine map, and a third map, and generates a public key using the first affine map, the second affine map, and the third map, the third map is a system of multivariate quadratic polynomials having n variables and m equations, at least one of the multivariate quadratic polynomials has oil-oil quadratic terms with non-zero coefficients, and the third map includes at least one set for defining vinegar variables used in an Oil and Vinegar method and index sets for defining oil variables used in the Oil and Vinegar method, and each of the first affine map, the second affine map, and the third map is a finite field.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority under 35 U.S.C. § 119 from Korean Patent Application No. 10-2018-0134507 filed on Nov. 5, 2018, the disclosures of which are hereby incorporated by reference in their entireties.

TECHNICAL FIELD

Embodiments of the present inventive concept relate to an electronic signature, and more particularly to a method capable of performing multivariate quadratic digital signature scheme based on a central map with oil-oil quadratic terms, which is secure against quantum computers, and an electronic device capable of performing the method.

DISCUSSION OF RELATED ART

A multivariate quadratic signature means an electronic signature (or referred to as a “digital signature”) used in a multivariate cryptography system. Here, the multivariate cryptography system refers to an asymmetric cryptography system based on multivariate polynomials defined on a finite field. In particular, when a degree of multivariate polynomials used in a multivariate cryptography system is two, the multivariate cryptography system is referred to as a multivariate quadratic cryptography system.

SUMMARY

An object of the present inventive concepts is to provide a method of using a multivariate quadratic electronic signature scheme which destroys a structure without oil-oil quadratic terms by adding oil-oil quadratic terms with non-zero coefficients to at least one of multivariate quadratic polynomials, and can generate an electronic signature of a message by inverting a multivariate quadratic central map despite the existence of at least one polynomial having oil-oil quadratic terms with non-zero coefficients among multivariate quadratic polynomials, and an electronic device capable of executing the method.

An exemplary embodiment of the present inventive concepts is directed to an electronic device, including a key generator, in which the key generator acquires a first affine maps S:

_(q) ^(m)→

_(q) ^(m), a second affine map T:

_(q) ^(n)→

_(q) ^(n), and a third map

:

_(q) ^(n)→

_(q) ^(m)=(

⁽¹⁾, . . . ,

^((m))), and generates a public key

=S∘

∘T using the first affine map, the second affine map, and the third map, the third map

is a system of multivariate quadratic polynomials

⁽¹⁾, . . . ,

^((m)) having n variables and m equations, at least one of the multivariate quadratic polynomials has oil-oil quadratic terms with non-zero coefficients, the third map

includes at least one first index set for defining vinegar variables used in the Oil and Vinegar method and at least one second index set for defining oil variables used in the oil and vinegar method, and

_(q) is a finite field in which the number of elements is q.

Another exemplary embodiment of the present inventive concepts is directed to an electronic signature method using an electronic device, including acquiring a first affine maps S:

_(q) ^(m)→

_(q) ^(m), a second affine map T:

_(q) ^(n)→

_(q) ^(n), and a third map

:

_(q) ^(n)→

_(q) ^(m)=(

⁽¹⁾, . . . ,

^((m))); and generating a public key

=S∘

∘T using the first affine map, the second affine map, and the third map, in which the third map

is a system of multivariate quadratic polynomials

⁽¹⁾, . . . ,

^((m)) having n variables and m equations, at least one of the multivariate quadratic polynomials has oil-oil quadratic terms with non-zero coefficients, the third map

includes at least one first index set for defining vinegar variables used in the Oil and Vinegar method and at least one second index set for defining oil variables used in the Oil and Vinegar method, and

_(q) is a finite field in which the number of elements is q.

Still another exemplary embodiment of the present inventive concepts is directed to an electronic signature method using an electronic device, including acquiring a first affine maps S:

_(q) ^(m)→

_(q) ^(m), a second affine map T:

_(q) ^(n)→

_(q) ^(n), and a third map

:

_(q) ^(n)→

_(q) ^(m)=(

⁽¹⁾, . . . ,

^((m))), generating a public key

=S∘

∘T using the first affine map, the second affine map, and the third map, and receiving an authentication for the public key

from the outside of the electronic device after the public key

is transmitted to the outside of the electronic device, in which the third map

is a system of multivariate quadratic polynomials

⁽¹⁾, . . . ,

^((m)) having n variables and m equations, at least one of the multivariate quadratic polynomials has oil-oil quadratic terms with non-zero coefficients, the third map

includes at least one first index set for defining vinegar variables used in the Oil and Vinegar method and at least one second index set for defining oil variables used in the Oil and Vinegar method, and

_(q) is a finite field in which the number of elements is q.

BRIEF DESCRIPTION OF THE DRAWINGS

These and/or other aspects and advantages of the present general inventive concept will become apparent and more readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:

FIG. 1 is an exemplary embodiment of symmetric matrices related to quadratic parts of a central map with two layers according to the present inventive concepts;

FIG. 2 is a block diagram of an electronic device according to exemplary embodiments of the present inventive concepts;

FIG. 3 is a block diagram of an electronic device according to exemplary embodiments of the present inventive concepts;

FIG. 4 is a block diagram of an electronic device according to exemplary embodiments of the present inventive concepts; and

FIG. 5 is a flowchart which describes the operation of the electronic device shown in FIG. 2, 3, or 4.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

Reference will now be made in detail to the embodiments of the present general inventive concept, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the like elements throughout. The embodiments are described below in order to explain the present general inventive concept by referring to the figures.

A multivariate quadratic electronic signature scheme based on a central map (or referred to as a “secret central map”) with oil-oil quadratic terms, which is secure against quantum computers, is disclosed in the present specification.

A main idea of the configuration of a multivariate quadratic (MQ) electronic signature scheme is to find an invertible map (

:

_(q) ^(n)→

_(q) ^(m)) of m multivariate quadratic polynomials having n variables. Then, two invertible affine maps or two invertible linear maps (S:

_(q) ^(m)→

_(q) ^(m) and T:

_(q) ^(n)→

_(q) ^(n)) are selected to hide a special structure of a central map

with a public key

. Each of i, j, n, m, k, q, and v in the present specification is a natural number of 1 or more.

Since the public key

is composed of a quadratic map

=S∘

∘T, and the public key

, that is, the quadratic map

=S∘

∘T, is almost indistinguishable from a random system, it is difficult to invert. Here, a circle means a composition. A secret key is composed of S.

.T which can invert the public key

.

The public key

is defined by Equation 1, and is a system

=(

⁽¹⁾, . . . ,

^((m))) of multivariate polynomials having m equations and n variables.

$\begin{matrix} {{\mathcal{P}^{(k)}\left( {x_{1},\ldots\mspace{14mu},x_{n}} \right)} = {{\overset{n}{\sum\limits_{i = 1}}{\overset{n}{\sum\limits_{j = 1}}{p_{ij}^{(k)}x_{i}x_{j}}}} + {\overset{n}{\sum\limits_{i = 1}}{p_{i}^{(k)}x_{i}}} + p_{0}^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 1} \right\rbrack \end{matrix}$

Here, k=1, . . . , m, p_(ij) ^((k)) and p_(i) ^((k)) represent coefficients of corresponding terms, p₀ ^((k)) represents a constant, and each value is randomly chosen within a finite field

_(q) in which the number of elements is q.

The main ideas of the present inventive concepts are:

(i) to destroy the structures of conventional multivariate quadratic polynomials without oil-oil quadratic terms of non-zero coefficients by adding at least one of multivariate polynomial with oil-oil quadratic terms of non-zero coefficients to the multivariate quadratic polynomials in the central map,

(ii) to provide a new inverting method of a central map despite the existence of at least one polynomial with oil-oil quadratic terms of non-zero coefficients among the multivariate quadratic polynomials in the central map.

New Central Map According to the Present Inventive Concepts (New Central Map)

In order to configure a new central map with oil-oil quadratic terms having non-zero coefficients according to the present inventive concepts, when the number of layers is one (1) in the present inventive concepts, two index sets V and O are required. For example, the number of index sets for defining oil variables used in an Oil and Vinegar method is determined according to the number of layers or is dependent on the number of layers. V={1, . . . , v}, O={v+1, . . . , v+o}

Here, |V|=v, and |O|=o. V is an index set for defining vinegar variables used in an Oil and Vinegar method, and O is an index set for defining oil variables used in the Oil and Vinegar method.

The central map

=(

⁽¹⁾, . . . ,

^((m))), that is, a system of multivariate quadratic polynomials having m (m=o) equations and n (n=v+m) variables, is defined as in Equations 2 and 3.

^((k)) for k=1, . . . , m−1 is defined as in Equation 2.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O},{j \in V}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 2} \right\rbrack \end{matrix}$

^((k)) for k=m is defined as in Equation 3.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O},{j \in V}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in O},{i \leq j}}{\delta_{i,j}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 3} \right\rbrack \end{matrix}$

Here, x is a vector x=(x₁, . . . , x_(n)), α_(ij) ^((k)), β_(ij) ^((k)), δ_(ij) ^((k)), and γ_(i) ^((k)) represent coefficients of corresponding terms, η^((k)) represents a constant, and each value is randomly chosen in the finite field

_(q) in which the number of elements is q.

When the number of layers is 1, a parameter set of the scheme according to the present inventive concepts is

_(q).v.o.

How to Invert a New Central Map

When ξ=(ξ₁, . . . , ξ_(m)) is given, processes of finding

⁻¹(ξ)=s, that is, solutions s of

(x)=ξ, are as follows.

A random vector of vinegar values, s_(v)=(s₁, . . . , s_(v))∈

_(q) ^(v) is chosen in the first layer. When the vector s_(v) is plugged into

^((i)) for i^(v)=1, . . . , m, a linear system of o−1 equations with o variables (x_(v)+1, . . . , x_(n)) and one quadratic equation with oil×oil quadratic terms of non-zero coefficients are obtained.

When Gaussian elimination is used in the linear system, each variable x_(i) for i=v+1, . . . , n−1 can be expressed by an equation of a variable x_(n).

x_(i) for i=1, . . . , n−1 is plugged into a quadratic equation acquired from

^((m)) and then the quadratic equation of x_(n) is obtained.

After a solution s_(n) of the quadratic equation of x_(n) is obtained, x_(i)=s_(i) for i=v+1, . . . , n−1 is calculated based on x_(n)=s_(n).

Then, a vector s=(s₁, . . . , s_(n)) is the solution of

(x)=ξ.

If the linear system of the first layer or the quadratic equation does not have a solution, a vector s_(v)′=(s′₁, . . . , s′_(v)) of new random vinegar values is newly chosen to perform the methods (or the processes) described above again.

When the number of layers is 2, three index sets V, O₁, and O₂ are required in the present inventive concepts to configure a new central map in accordance with the present inventive concepts having oil-oil quadratic terms of non-zero coefficients. V={1, . . . , v}, O ₁ ={v+1, . . . , v+o ₁ }, O ₂ ={v+o ₁+1, . . . , v+o ₁ +o ₂}

Here, |V|=v, and |O_(i)|=o_(i) for i=1 and 2. V is an index set for defining vinegar variables used in an Oil and Vinegar method, and O₁ and O₂ are index sets for defining oil variables used in the Oil and Vinegar method.

A central map

=(

⁽¹⁾, . . .

^((m))), that is, a system of multivariate polynomials having m=o₁+O₂ equations and n=v+m variables, is defined as shown in Equations 4 to 6.

^((k)) for k=1, . . . , o₁ is defined as shown in Equation 4.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{1}},{j \in V}}\;{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 4} \right\rbrack \end{matrix}$

^((k)) for k=o₁+1, . . . , m−1 is defined as shown in Equation 5.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{2}},{j \in {V\bigcup O_{1}}}}\;{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in {V\bigcup O_{1}}},{i \leq j}}\;{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}\bigcup O_{2}}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 5} \right\rbrack \end{matrix}$

^((k)) for k=m is defined as shown in Equation 6.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{2}},{j \in {V\bigcup O_{1}}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in {V\bigcup O_{1}}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in O_{2}},{i \leq j}}\;{\delta_{i,j}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}\bigcup O_{2}}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(m)}}} & \left\lbrack {{Equation}\mspace{14mu} 6} \right\rbrack \end{matrix}$

Here, x is a vector x=(x₁, . . . , x_(n)), α_(ij) ^((k)), β_(ij) ^((k)), δ_(ij) ^((k)), and γ_(i) ^((k)) represent coefficients of corresponding terms, η^((k)) represents a constant, and each value is randomly chosen in the finite field

_(q) in which the number of elements is q.

^((i)) for i=1, . . . , o₁ of is referred to as a secret polynomial in the first layer, and

^((i)) for i=o₁+1, . . . , m is referred to as a secret polynomial in the second layer.

When the number of layers is two (2), the parameter set of the scheme according to the present inventive concepts is

_(q), v, o₁, o₂.

How to Invert a New Central Map

When ξ=(ξ₁, . . . , ξ_(m)) is given, processes of finding

⁻¹(ξ)=s, that is, solutions s of

(x)=ξ, are as follows.

In the first layer, a random vector of vinegar values, s_(v)=(s₁, . . . , s_(v))∈

_(q) ^(v), is chosen. When the vector s_(v) is plugged into the first layer

^((i)) for i=1, . . . , o₁, a linear system of o₁ equations with o₁ variables is obtained. A solution (s_(v+1), . . . , s_(v+o) ₁ ) of the first linear system is obtained using Gaussian elimination.

In the second layer, values (s₁, . . . , s_(v+o) ₁ ) of the vector s_(v) of vinegar values and the solution (s_(v+1), . . . , s_(v+o) ₁ ) of the linear system are plugged into F^((j)) for j=o₁+1, . . . , m. A linear system of o₂−1 equations with o₂ variables x_(v+o) ₁ ₊₁, . . . x_(n) and one quadratic equation with oil×oil quadratic terms of non-zero coefficients are obtained.

Each variable x_(i) for i=v+o₁+1, . . . , n−1 can be expressed by an equation of variables x_(n) using Gaussian elimination in the linear system.

x_(i) for i=v+o₁+1, . . . , n−1 is plugged into the quadratic equation acquired from

^((m)) and then the quadratic equation of x_(n) is obtained.

After the solution s_(n) of the quadratic equation of x_(n) is obtained, x_(i)=s_(i) for i=v+1, . . . , n−1 is calculated based on x_(n)=s_(n).

Then, the vector s=(s₁, . . . , s_(n)) is the solution of

(x)=ξ.

If the linear system of the first layer or the quadratic equation does not have solutions, a vector s_(v)′=(s′₁, . . . , s′_(v)) of new random vinegar values is newly chosen to perform the methods (or the processes) described above again.

Key Generation or Key Generation Step

With respect to security parameters, a pair of a public key and a secret key (<PK.SK>=<

.({tilde over (S)}.

.{tilde over (T)})>) is generated as follows. A security parameter λ may represent a security level.

1. Two affine maps ({tilde over (S)} and {tilde over (T)}) are randomly selected. If {tilde over (S)} and {tilde over (T)} are not invertible, two (new) affine maps {tilde over (S)} and {tilde over (T)} are randomly selected again. Here, {tilde over (S)}=S⁻¹ and {tilde over (T)}=T⁻¹.

2. The central map

=

⁽¹⁾, . . . ,

^((m))) described above is randomly selected.

3. The public key

=S∘

∘T is calculated.

Signature Generation or Signature Generation Step

A hash message H(M) for a message M is calculated.

Here, H:{0, 1}*→

_(q) ^(m) is a collision resistant hash function.

1. {tilde over (S)}(H(M))=ξ is calculated.

2.

⁻¹(ξ)=s, that is, a vector s for

(s)=ξ, is obtained.

As described in the method of inverting a new central map,

(1) a random vector of vinegar values s_(v)=(s₁, . . . , s_(v))ϵ

_(q) ^(v) is chosen,

(2) the vector s_(v) is plugged into the first layer F^((i)) for i=1, . . . , o₁,

(3) a linear system of o₁ equations with o₁ variables is obtained, and

(4) a solution (s_(v+1), . . . , s_(v+o) ₁ ) of the linear system is obtained using Gaussian elimination.

Values (s₁, . . . , s_(v+o) ₁ ) of the vector s_(v) and the solutions (s₁, . . . , s_(v+o) ₁ ) of the linear system are plugged into F^((i)) for i=o₁+1, . . . , m, and a linear system of o₂−1 equations with o₂ variables and one quadratic equation with variables (x_(v+o) ₁ ₊₁, . . . , x_(n)) are obtained.

In the linear system, x_(i)(i=v+o₁+1, . . . , n−1) expressed by an equation with variables x_(n) is obtained.

x_(i) for i=v+o₁+1, . . . , n−1 is plugged into a quadratic equation acquired from

^((m)) as the quadratic equation of x_(n) is obtained.

After the solution s_(n) of the quadratic equation of x_(n) is obtained, x_(i)=s_(i) for i=v+o₁+1, . . . , n−1 is calculated based on x_(n)=s_(n).

Then, s=(s₁, . . . , s_(n)) is the solution of

(x)=ξ.

When one of the linear system of the first layer and the quadratic equation of the second layer does not have a solution, another vector s_(v)′=(s′₁, . . . , s′_(v)) of vinegar values will be chosen, and the processes described above will be performed again.

3. {tilde over (T)}(s)=σ is calculated. σ refers to an electronic signature of the message M.

Verification or Verification Step

When the electronic signature σ for the message M and the public key

are given, it is checked whether

(σ)=H(M). When

(σ)=H(M), the electronic signature σ is accepted, and otherwise, the electronic signature σ is rejected.

FIG. 1 is an exemplary embodiment of symmetric matrices related to quadratic parts of a central map with two layers according to the present inventive concepts. Referring to FIG. 1, F^((k)) (1≤k≤m) is symmetric matrices corresponding to a homogeneous quadratic part of a k^(th) polynomial of a central map

according to an exemplary embodiment of the present inventive concepts.

Referring to the symmetric matrices F^((i)) shown in FIG. 1, white parts represent elements of zero, and gray parts or quadrangles represent non-zero elements. P^((k)) (1≤k≤m) is symmetric matrices correspondnig to a quadratic part of a k^(th) polynomial of the public key

. Referring to FIG. 1, when k=m, non-zero elements are present in o₂×o₂ terms (or oil-oil quadratic terms). When 1≤k≤m,

^((k)) having oil-oil quadratic terms can be presented regardless of a value of k.

For example, when the number of layers is two,

^((k)) for k=1, . . . , o₁ in the first layer is defined as shown in Equation 7.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{1}},{j \in V}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 7} \right\rbrack \end{matrix}$

^((k)) for k=o₁+1, . . . , m−1 in a second layer is defined as shown in Equation 8.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{2}},{j \in {V\bigcup O_{1}}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in {V\bigcup O_{1}}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}\bigcup O_{2}}}\;{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 8} \right\rbrack \end{matrix}$

^((k)) for k=m in the second layer is defined as shown in Equation 9.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{2}},{j \in {V\bigcup O_{1}}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in {V\bigcup O_{1}}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in O_{2}},{i \leq j}}\;{\delta_{i,j}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}\bigcup O_{2}}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(m)}}} & \left\lbrack {{Equation}\mspace{14mu} 9} \right\rbrack \end{matrix}$

A general case can be described as follows.

When u≥1, v₁, . . . , v_(u+1) are integers, and 0<v₁<v₂< . . . <v_(u)<v_(u+1)=n. Here, u represents the number of layers.

Sets of integers V_(i)={1, . . . , v_(i)} for i=1, . . . , u, and, when i=1, . . . , u, a set o_(i)=v_(i+1)−v_(i) and a set O_(i)={v_(i)30 1, . . . , v_(i+1)} are defined. Then, |V_(i)|=v_(i), |O_(i)|=o_(i), m=o₁+ . . . +o_(u), n=v₁+m, and v₁=v.

Polynomials F^((k)) having n variables x₁, . . . , x_(n) k=1, . . . , m−1 are defined as shown in Equation 10.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{l}},{j \in V_{l}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V_{l}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V_{l}\bigcup O_{l}}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 10} \right\rbrack \end{matrix}$

Here, l is the only integer satisfying k∈O_(l), and x=(x₁, . . . , x_(n)).

When k=m, the polynomials F^((k)) are defined by Equation 11.

$\begin{matrix} {{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{u}},{j \in V_{u}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V_{u}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in {{O_{u,}i} \leq j}}}{\delta_{i,j}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V_{u}\bigcup O_{u}}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}} & \left\lbrack {{Equation}\mspace{14mu} 11} \right\rbrack \end{matrix}$

FIG. 2 is a block diagram of an electronic device according to exemplary embodiments of the present inventive concepts. Referring to FIG. 2, an electronic device 100A may include a key generator 200A, a digital signature generator 300A, and a verification device 400. The electronic device 100A, 100B, or 100C, collectively 100 to be described in the present specification may refer to an electronic system (or a quantum computer) which generates and verifies an electronic signature σ according to a multivariate quadratic electronic signature scheme based on the central map

=(

⁽¹⁾, . . . ,

^((m))) having oil-oil (or oil×oil) quadratic terms of non-zero coefficients.

Although it is shown in FIGS. 2 to 4 that the key generator, the digital signature (or electronic signature) generator, and verification device are implemented as separate pieces of hardware, all of constituents corresponding to the key generator, the digital signature generator, and the verification device can be created by a computer program (or a computer program code).

The key generator 200A may perform the key generation (or key generation step) described above. For example, the key generator 200A may generate a public key

=(

⁽¹⁾, . . . ,

^((m)))=S∘

∘T using a first affine map S, a second affine map T, and a third map (for example, the central map

).

The key generator 200A may include a processor 210 and a memory device 220. The memory device 220 may be implemented as a non-volatile memory device which stores maps including the first affine map S, the second affine map T, and the third map (for example, the central map

).

The processor 210 may generate the public key

=(

⁽¹⁾, . . . ,

^((m)))=S∘

∘T using the maps S, T, and

stored in the memory device 220, and the security parameter λ may be input from the outside of the key generator 200A.

The key generator 200A may transmit the maps S, T, and

and the public key

=(

⁽¹⁾, . . . ,

^((m)))=S∘

∘T to the digital signature generator 300A through a first communication network.

According to exemplary embodiments, when the key generator 200A transmits the public key

to an authentication generator (or an authentication institute), the authentication generator may generate an authentication (or a certificate) for the public key

, and transmit a generated authentication to the key generator 200A. As a result, the key generator 200A may transmit the public key

and/or the authentication to the digital signature generator 300A. The public key

in the present specification and claims may be understood as a generic reference to the public key

and the authentication for the public key

.

The digital signature generator 300A may perform the signature generation (or the signature generation step) described above. For example, a processor 310 of the digital signature generator 300A may receive the maps S, T, and

transmitted from the key generator 200A, calculate inversions {tilde over (S)}=S⁻¹ and {tilde over (T)}=T⁻¹ of the maps S and T, store calculated inversions {tilde over (S)}=S⁻¹ and {tilde over (T)}=T⁻¹ in the memory device 320, and perform the signature generation (or the signature generation step) using the maps {tilde over (S)}=S⁻¹,

, and {tilde over (T)}=T⁻¹ stored in the memory device 320.

The processor 310 may generate a hash message H(M) by applying a hash function to a given message M, generate an electronic signature σ for the hash message H(M) on the basis of contents described in the signature generation (or the signature generation step), and transmit one of the public key

and the authentication including the public key

, the message M, and the electronic signature σ to the verification device 400 through a third communication network.

The first communication network, the second communication network, and the third communication network may be the same communication network or different communication networks, but the present exemplary embodiment is not limited thereto. For example, the message M may be input from the outside of the digital signature generator 300A.

The verification device 400 may perform the verification (or the verification step) described above. For example, the verification device 400 may check whether P(σ)=H(M) using one of the public key

and the authentication including the public key

transmitted from the digital signature device 300A, the message M, and the electronic signature σ, and determine whether to accept or to reject the electronic signature σ in accordance with a result of the check. For example, the verification device 400 can perform the verification step by extracting the public key

from the authentication even though the authentication for the public key

is received instead of the public key

.

FIG. 3 is a block diagram of an electronic device according to exemplary embodiments of the present inventive concepts. Referring to FIG. 3, an electronic device 100B may include a key generator 200B, a digital signature generator 300B, and the verification device 400.

The key generator 200B may perform the key generation (or the key generation step) described above. The memory device 220 of the key generator 200B stores maps including the first affine map S, the second affine map T, and the third map (for example, the central map

), and a computer program for performing a function of calculating each of the inversions {tilde over (S)}=S⁻¹ and {tilde over (T)}=T⁻¹ of respective maps S and T, and a function of generating the public key

=(

⁽¹⁾, . . . ,

^((m)))=S∘

∘T using the maps S, T, and

.

The processor 210 may generate the public key

=(

⁽¹⁾, . . . ,

^((m)))=S∘

∘T by executing the computer program. For example, the security parameter λ may be input from the outside of the key generator 200B.

The key generator 200B calculates inversions {tilde over (S)} and {tilde over (T)}, and safely transmits the inversions {tilde over (S)} and {tilde over (T)}, the third map

, and the public key

to the digital signature generator 300B.

According to exemplary embodiments, when the key generator 200B transmits the public key

to an authentication generator (or an authentication institute), the authentication generator may generate an authentication for the public key

, and transmit a generated authentication to the key generator 200B. As a result, the key generator 200B may safely transmit the inversions {tilde over (S)} and {tilde over (T)}, the third map

, and the authentication to the digital signature generator 300B.

The digital signature generator 300B may perform the signature generation (or the signature generation step) described above. For example, the processor 310 of the digital signature generator 300B may receive the maps {tilde over (S)}, {tilde over (T)}, and

transmitted from the key generator 200B, store them in the memory device 320, and perform the signature generation (or the signature generation step) using the maps {tilde over (S)}=S⁻¹,

, and {tilde over (T)}=T⁻¹ stored in the memory device 320. According to exemplary embodiments, when the key generator 200B transmits an authentication for the public key

, the authentication may be stored in the memory device 320 under control of the processor 310.

The processor 310 of the digital signature generator 300B may generate a hash message H(M) by applying a hash function to a given message M, generate an electronic signature σ for the hash message H(M) on the basis of contents described in the signature generation (or the signature generation step), and transmit one of the public key

and the authentication including the public key

, the message M, and the electronic signature σ to the verification device 400 at the same time through the third communication network.

The verification device 400 may perform the verification (or the verification step) described above. For example, the verification device 400 may check whether P(σ)=H(M) using one of the public key

and the authentication including the public key

transmitted from the digital signature device 300B, the message M, and the electronic signature σ, and determine whether to accept or to reject the electronic signature σ in accordance with a result of the check.

FIG. 4 is a block diagram of an electronic device according to exemplary embodiments of the present inventive concepts. Referring to FIGS. 2 and 3, the key generator 200A or 200B may be implemented as devices that do not share one system board or one silicon substrate. However, the key generator 200 and the digital signature generator 300 in an electronic device 100C of FIG. 4 may share one system board or one silicon substrate 501 in one electronic device 500. The system board 501 may refer to a main circuit board, a main printed circuit board (PCB), or a system board in an electronic device or a computer.

The key generator 200 that performs a key generation transmits the information S, T,

, and

, or {tilde over (S)}, {tilde over (T)},

, and

to the digital signature generator 300. As described above, the key generator 200 transmits an authentication including the information S, T, and

or {tilde over (S)}, {tilde over (T)}, and

and the public key

to the digital signature generator 300.

The digital signature generator 300 that performs a signature generation may generate an electronic signature σ using the information S, T,

, and

, or {tilde over (S)}, {tilde over (T)},

, and

, and transmit one of the public key

and the authentication including the public key

, the message M, and the electronic signature σ to the verification device 400 at the same time through the third communication network. The verification device 400 may perform verification.

FIG. 5 is a flowchart which describes the operation of the electronic device shown in FIG. 2, 3, or 4. Referring to FIGS. 2 to 5, the maps S and T or {tilde over (S)} and {tilde over (T)} are calculated (S110). The inversions {tilde over (S)} and {tilde over (T)} may be calculated by the digital signature generator 300A of FIG. 2, may be calculated by the key generator 200B of FIG. 3, or may be generated or calculated by the key generator 200 of FIG. 4.

The operation of each device 100 can be briefly described with reference to FIGS. 2 to 5 as follows.

The key generator 200A, 200B, or 200 (collectively, referred to as 200) randomly selects the third map

(S120).

The key generator 200 calculates a public key

=S∘

∘T (S130).

When a message M is given, the digital signature generator 300A, 300B, or 300 (collectively, referred to as 300) calculates H(M) and {tilde over (S)} (H(M))=ξ(S140).

The digital signature generator 300 calculates

⁻¹(ξ)=s (S150).

The digital signature generator 300 calculates {tilde over (T)}(s)=σ (S160).

The verification device 400 checks whether P(σ)=H(M) using one of the public key

=S∘

∘T and an authentication including the public key

=S∘

∘T, the message M, and the electronic signature σ (S170).

The key generation, the signature generation, and the verification described in the present specification can be performed by a computer program (or program codes) executed in each device 100A, 100B, or 100C. The computer program (or the program codes) which is installed in a computer (for example, each device 100A, 100B, or 100C) and can be read by the computer may be stored in a recording medium. The storage medium (for example, 210 or 220) denotes a non-transitory storage medium.

The multivariate quadratic electronic signature scheme according to the exemplary embodiments of the present inventive concepts can safely generate an electronic signature of a message by inverting the central map despite of the existence of oil-oil quadratic terms of non-zero coefficients on the basis of a central map having oil-oil quadratic terms of non-zero coefficients.

Although a few embodiments of the present general inventive concept have been shown and described, it will be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the general inventive concept, the scope of which is defined in the appended claims and their equivalents. 

What is claimed is:
 1. An electronic device for generating and verifying an electronic signature, the electronic device including: a key generator including a first memory configured to store a first affine map S:F_(q) ^(m)→F_(q) ^(m) and a second affine map S:F_(q) ^(n)→F_(q) ^(n), and a first processor connected to the memory, wherein the processor of the key generator is configured to: acquire the first affine map S and the second affine map T from the memory, randomly generate a third map F:F_(q) ^(n)→F_(q) ^(n)=(F⁽¹⁾, . . . , F^((m))), and generate a public key P using the first affine map, the second affine map, and the third map by composition, wherein the third map F is a system of multivariate quadratic polynomials F⁽¹⁾, . . . , F^((m)) having n variables and m equations, wherein at least one of the multivariate quadratic polynomials has oil times oil quadratic terms with non-zero coefficients, and wherein the third map F includes at least one first index set for defining vinegar variables used in an Oil and Vinegar method and at least one second index set for defining oil variables used in the Oil and Vinegar method, and F₂ is a finite field in which the number of elements is q; a digital signature generator connected to the key generator via a first communication network and configured to receive the public key P via the first communication network and a message M, and generate an electronic signature σ for the message M, wherein the digital signature generator calculates a hash function H(M) for the message M, calculates {tilde over (s)}(H(M))=ξ when ξ=(ξ₁, . . . , ξ_(m)) is given, calculates a vector s satisfying F⁻¹(ξ)=s, and calculates {tilde over (T)}(s)=σ to generate the signature σ; and a verification device connected to the digital signature generator via a second communication network and configured to: receive the public key P, the message M, and the electronic signature a; verify whether P(α) is equal to H(M); and and accept or reject the electronic signature a based on the verification.
 2. The electronic device of claim 1, wherein, when u representing the number of layers is 1 or more, v₁, . . . , v_(u+1) are integers, 0<v₁<v₂< . . . <v_(u)<v_(u+1)=n, the at least one first index set is sets of integers v_(i)={1, . . . , v_(i)}, the at least one second index set is sets of integers O_(i)={v_(i)+1, . . . , v_(i+1)}, o_(i)=v_(i+1)−v_(i), |V|=v, |O_(i)|=o_(i), i=1, . . . , u, m=o₁+ . . . +o_(u), and n=v₁+m.
 3. The electronic device of claim 1, wherein the at least one first index set is V={1, . . . , v}, the at least one second index set is O₁={v+1, . . . , v+o₁}O₂={v+o₁+1, . . . , v+o₁+o₂}, |V|=v, |O_(i)|=o_(i), i=1 and 2, a last polynomial F^((m)) of the multivariate quadratic polynomials F⁽¹⁾, . . . , F^((m)) has the oil times oil quadratic terms with non-zero coefficients, the m=o₁+o₂, and the n=v+m.
 4. The electronic device of claim 1, wherein, when a layer of F^((k)) includes a first layer and a second layer, F^((k)) for k=1, . . . , o₁ in the first layer is defined as follows ${{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{1}},{j \in V}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}}}{\gamma_{i}^{(k)}x_{i}}} + \eta^{(k)}}},$ F^((k)) for k=o₁+1, . . . , m−1 in the second layer is defined as follows ${{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{2}},{j \in {V\bigcup O_{1}}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in {V\bigcup O_{i}}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}\bigcup O_{2}}}{\gamma_{i}^{(k)}x_{i}}} + \eta^{(k)}}},$ F^((k)) for k=m in the second layer is defined as follows ${{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{2}},{j \in {V\bigcup O_{1}}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in {V\bigcup O_{1}}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in O_{2}},{i \leq j}}{\delta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O_{1}\bigcup O_{2}}}{\gamma_{i}^{(k)}x_{i}}} + \eta^{(m)}}},$ and a vector herein x=(x₁, . . . , x_(n)).
 5. The electronic device of claim 1, wherein the at least one first index set is v={1, . . . , v}, the at least one second index set is O={v+1, . . . , v+o}, |V|=v, |O|=o, F^((k)) for k=1, . . . , m−1 is defined as follows $\mspace{20mu}{{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O},{j \in V}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O}}{{\gamma\;}_{i}^{(k)}x_{i}}} + \eta^{(k)}}}$ F^((k)) for k=m is defined as follows ${{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O},{j \in V}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in O},{i \leq j}}{\delta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O}}{\gamma_{i}^{(k)}x_{i}}} + \eta^{(k)}}},$ and a vector herein x=(x₁, . . . , x_(n)).
 6. An electronic signature method using an electronic device comprising: acquiring a first affine map S:F_(q) ^(m)→F_(q) ^(m), a second affine map T:F_(q) ^(n)→F_(q) ^(n), and a third map F:F_(q) ^(n)→F_(q) ^(m)=(F⁽¹⁾, . . . , F^((m))); generating a public key P=S·F·T using the first affine map, the second affine map, and the third map, wherein the third map F is a system of multivariate quadratic polynomials F⁽¹⁾, . . . , F^((m)) having n variables and m equations, at least one of the multivariate quadratic polynomials has oil times oil quadratic terms with non-zero coefficients, the third map F includes at least one first index set for defining vinegar variables used in an Oil and Vinegar method and at least one second index set for defining oil variables used in the Oil and Vinegar method, F_(q) and is a finite field in which the number of elements is q; receiving a message M via a first communication network; calculating a first inversion S of the first affine map S and a second inversion T of the second affine map T; generating a signature σ of the message M using the first inversion {tilde over (S)}, the second inversion {tilde over (T)}, and the third map F; and calculating a hash function H(M) for the message M, calculates (H(M))=ξ when is given, calculates a vector satisfying, and calculates to generate the signature σ; verifying whether P(σ) is equal to H(M); and accepting or rejecting the electronic signature σ based on the verification.
 7. The electronic signature method using an electronic device of claim 6, wherein, when u representing the number of layers is 1 or more, v₁, . . . , v_(u+1) are integers, 0<v₁<v₂< . . . <v_(u)<v_(u+1)=n, the at least one first index set is sets of integers V_(i)={1, . . . , v_(i)}, the at least one second index set is sets of integers O_(i)={v_(i)+1, . . . , v_(i+1)}, o_(i)=v_(i)+1−v_(i), |V_(i)|=v_(i), |O_(i)|=o_(i), i=1, . . . , u, m=o₁+ . . . +o_(u), and n=v_(i)+m.
 8. The electronic signature method using an electronic device of claim 7, wherein the multivariate quadratic polynomials having n variables x₁, . . . , x_(n) for k=1, . . . , m−1 are defined as follows ${{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{l}},{j \in V_{l}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V_{l}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V_{l}\bigcup O_{l}}}{\gamma_{i}^{(k)}x_{i}}} + \eta^{(k)}}},$ l is the only integer satisfying, kϵO_(l), and x=(x₁, . . . , x_(n)), and when k=m, the multivariate quadratic polynomials are defined as follows ${{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O_{u}},{j \in V_{u}}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V_{u}},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in O_{u}},{i \leq j}}{\delta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V_{u}\bigcup O_{u}}}{\gamma_{i}^{(k)}x_{i}}} + \eta^{(k)}}},$ and 1≤k≤m.
 9. The electronic signature method using an electronic device of claim 6, wherein the at least one first index set is V={1, . . . , v}, the at least one second index set is O₁={v+1, . . . , v+o₁}O₂={v+o₁+1, . . . , v+o₁+o₂}, |V|=v, |O_(i)|=o_(i), i=1 and 2, a last polynomial F^((m)) of the multivariate quadratic polynomials F⁽¹⁾, . . . , F^((m)) has the oil times oil quadratic terms with non-zero coefficients, the m=o₁+o₂, and the n=v+m.
 10. The electronic signature method using an electronic device of claim 6, wherein the at least one first index set is V={1, . . . , v}, the at least one second index set is O={v+1, . . . , v+o}, |V|=v, |O|=o, F^((k)) for k=1, . . . , m−1 is defined as follows ${{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O},{j \in V}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O}}{\gamma_{i}^{(k)}x_{i}}} + \eta^{(k)}}},$ F^((k)) for k=m is defined as follows ${{\mathcal{F}^{(k)}(x)} = {{\sum\limits_{{i \in O},{j \in V}}{\alpha_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in V},{i \leq j}}{\beta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i,{j \in O},{i \leq j}}{\delta_{ij}^{(k)}x_{i}x_{j}}} + {\sum\limits_{i \in {V\bigcup O}}{\gamma_{i}^{(k)}x_{i}}} + \eta^{(k)}}},$ and a vector herein x=(x₁, . . . , x_(n)).
 11. An electronic signature method using an electronic device comprising: acquiring a first affine map S:F_(q) ^(m)→F_(q) ^(m) a second affine map T:F_(q) ^(n)→F_(q) ^(n), and a third map F:F_(q) ^(n)→F_(q) ^(m)=(F⁽¹⁾, . . . , F^((m))); generating a public key P=S·F·T using the first affine map, the second affine map, and the third map; receiving an authentication for the public key P via a first communication network, after the public key P is transmitted to the outside of the electronic device, wherein the third map F is a system of multivariate quadratic polynomials F⁽¹⁾, . . . , F^((m)) having n variables and m equations, at least one of the multivariate quadratic polynomials has oil times oil quadratic terms with non-zero coefficients, the third map F includes at least one first index set for defining vinegar variables used in an Oil and Vinegar method and at least one second index set for defining oil variables used in the Oil and Vinegar method, and F_(q) is a finite field in which the number of elements is q; receiving a message M from the outside of the electronic device; calculating a first inversion {tilde over (S)} of the first affine map S and a second inversion {tilde over (T)} of the second affine map T; generating a signature σ of the message M using the first inversion {tilde over (S)}, the second inversion {tilde over (T)}, and the third map F; and calculating a hash function H(M) for the message M, calculates (H(M))=ξ when is given, calculates a vector satisfying, and calculates to generate the signature σ; verifying whether P(σ) is equal to H(M); and accepting or rejecting the electronic signature σ based on the verification.
 12. The electronic signature method of claim 11, wherein, when u representing the number of layers is 1 or more v₁, . . . , v_(u+1) are integers, 0<v₁<v₂< . . . <v_(u)<v_(u+1)=n, the at least one first index set is sets of integers V_(i)={1, . . . , v_(i)}, the at least one second index set is sets of integers O_(i)={v_(i)+1, . . . , v_(i+1)}, o_(i)=v_(i)+1−v_(i), |V_(i)|=v_(i), |O_(i)|=o_(i), i=1, . . . , u, m=o₁+ . . . +o_(u), and n=v_(i)+m.
 13. The electronic signature method of claim 11, wherein the at least one first index set is V={1, . . . , v}, the at least one second index set is O₁={v+1, . . . , v+o₁}O₂={v+o₁+1, . . . , v+o₁+o₂}, |V|=v, |O_(i)|=o_(i), i=1 and
 2. 14. The electronic signature method of claim 11, wherein the at least one first index set is V={1, . . . , v}, the at least one second index set is O={v+1, . . . , v+o}, |V|=v, and |O|=o. 